Ledger Nano X - The secure hardware wallet
SHARE
TWEET

ssl.conf

a guest Oct 23rd, 2013 69 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #
  2. # This is the Apache server configuration file providing SSL support.
  3. # It contains the configuration directives to instruct the server how to
  4. # serve pages over an https connection. For detailing information about these
  5. # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
  6. #
  7. # Do NOT simply read the instructions in here without understanding
  8. # what they do.  They're here only as hints or reminders.  If you are unsure
  9. # consult the online docs. You have been warned.  
  10. #
  11.  
  12. LoadModule ssl_module modules/mod_ssl.so
  13.  
  14. #
  15. # When we also provide SSL we have to listen to the
  16. # the HTTPS port in addition.
  17. #
  18. Listen 443
  19.  
  20. ##
  21. ##  SSL Global Context
  22. ##
  23. ##  All SSL configuration in this context applies both to
  24. ##  the main server and all SSL-enabled virtual hosts.
  25. ##
  26.  
  27. #
  28. #   Some MIME-types for downloading Certificates and CRLs
  29. #
  30. AddType application/x-x509-ca-cert .crt
  31. AddType application/x-pkcs7-crl    .crl
  32.  
  33. #   Pass Phrase Dialog:
  34. #   Configure the pass phrase gathering process.
  35. #   The filtering dialog program (`builtin' is a internal
  36. #   terminal dialog) has to provide the pass phrase on stdout.
  37. SSLPassPhraseDialog  builtin
  38.  
  39. #   Inter-Process Session Cache:
  40. #   Configure the SSL Session Cache: First the mechanism
  41. #   to use and second the expiring timeout (in seconds).
  42. #SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
  43. SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
  44. SSLSessionCacheTimeout  300
  45.  
  46. #   Semaphore:
  47. #   Configure the path to the mutual exclusion semaphore the
  48. #   SSL engine uses internally for inter-process synchronization.
  49. SSLMutex default
  50.  
  51. #   Pseudo Random Number Generator (PRNG):
  52. #   Configure one or more sources to seed the PRNG of the
  53. #   SSL library. The seed data should be of good random quality.
  54. #   WARNING! On some platforms /dev/random blocks if not enough entropy
  55. #   is available. This means you then cannot use the /dev/random device
  56. #   because it would lead to very long connection times (as long as
  57. #   it requires to make more entropy available). But usually those
  58. #   platforms additionally provide a /dev/urandom device which doesn't
  59. #   block. So, if available, use this one instead. Read the mod_ssl User
  60. #   Manual for more details.
  61. SSLRandomSeed startup file:/dev/urandom  256
  62. SSLRandomSeed connect builtin
  63. #SSLRandomSeed startup file:/dev/random  512
  64. #SSLRandomSeed connect file:/dev/random  512
  65. #SSLRandomSeed connect file:/dev/urandom 512
  66.  
  67. #
  68. # Use "SSLCryptoDevice" to enable any supported hardware
  69. # accelerators. Use "openssl engine -v" to list supported
  70. # engine names.  NOTE: If you enable an accelerator and the
  71. # server does not start, consult the error logs and ensure
  72. # your accelerator is functioning properly.
  73. #
  74. SSLCryptoDevice builtin
  75. #SSLCryptoDevice ubsec
  76.  
  77. ##
  78. ## SSL Virtual Host Context
  79. # Use name-base virtual hosting
  80. NameVirtualHost *:443
  81.  
  82. <VirtualHost *:443>
  83.  DocumentRoot "/var/www/app.example.com/web"
  84.  #ServerName example.com:443
  85.  #ServerAlias www.example.com
  86.  # Use separate log files for the SSL virtual host; note that LogLevel
  87. # is not inherited from httpd.conf.
  88. ErrorLog logs/ssl_error_log
  89. TransferLog logs/ssl_access_log
  90. LogLevel warn
  91.  
  92. <Directory "/var/www/app.example.com/web">
  93. Options Indexes FollowSymLinks
  94. AllowOverride All
  95. Order allow,deny
  96. Allow from all
  97. </Directory>
  98.  
  99.  
  100. #   SSL Engine Switch:
  101. #   Enable/Disable SSL for this virtual host.
  102. SSLEngine on
  103.  
  104. #   SSL Protocol support:
  105. # List the enable protocol levels with which clients will be able to
  106. # connect.  Disable SSLv2 access by default:
  107. SSLProtocol all -SSLv2
  108.  
  109. #   SSL Cipher Suite:
  110. # List the ciphers that the client is permitted to negotiate.
  111. # See the mod_ssl documentation for a complete list.
  112. SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  113.  
  114. #   Server Certificate:
  115. # Point SSLCertificateFile at a PEM encoded certificate.  If
  116. # the certificate is encrypted, then you will be prompted for a
  117. # pass phrase.  Note that a kill -HUP will prompt again.  A new
  118. # certificate can be generated using the genkey(1) command.
  119. #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  120. SSLCertificateFile /etc/pki/ssl_app_example/public.crt
  121.  
  122. #   Server Private Key:
  123. #   If the key is not combined with the certificate, use this
  124. #   directive to point at the key file.  Keep in mind that if
  125. #   you've both a RSA and a DSA private key you can configure
  126. #   both in parallel (to also allow the use of DSA ciphers, etc.)
  127. #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  128. SSLCertificateKeyFile /etc/pki/ssl_app_example/private.key
  129.  
  130. #   Server Certificate Chain:
  131. #   Point SSLCertificateChainFile at a file containing the
  132. #   concatenation of PEM encoded CA certificates which form the
  133. #   certificate chain for the server certificate. Alternatively
  134. #   the referenced file can be the same as SSLCertificateFile
  135. #   when the CA certificates are directly appended to the server
  136. #   certificate for convinience.
  137. #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
  138.  
  139. #   Certificate Authority (CA):
  140. #   Set the CA certificate verification path where to find CA
  141. #   certificates for client authentication or alternatively one
  142. #   huge file containing all of them (file must be PEM encoded)
  143. #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
  144. SSLCACertificateFile /etc/pki/ssl_app_example/intermediate.crt
  145.  
  146. #   Client Authentication (Type):
  147. #   Client certificate verification type and depth.  Types are
  148. #   none, optional, require and optional_no_ca.  Depth is a
  149. #   number which specifies how deeply to verify the certificate
  150. #   issuer chain before deciding the certificate is not valid.
  151. #SSLVerifyClient require
  152. #SSLVerifyDepth  10
  153.  
  154. #   Access Control:
  155. #   With SSLRequire you can do per-directory access control based
  156. #   on arbitrary complex boolean expressions containing server
  157. #   variable checks and other lookup directives.  The syntax is a
  158. #   mixture between C and Perl.  See the mod_ssl documentation
  159. #   for more details.
  160. #<Location />
  161. #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
  162. #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
  163. #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
  164. #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
  165. #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
  166. #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
  167. #</Location>
  168.  
  169. #   SSL Engine Options:
  170. #   Set various options for the SSL engine.
  171. #   o FakeBasicAuth:
  172. #     Translate the client X.509 into a Basic Authorisation.  This means that
  173. #     the standard Auth/DBMAuth methods can be used for access control.  The
  174. #     user name is the `one line' version of the client's X.509 certificate.
  175. #     Note that no password is obtained from the user. Every entry in the user
  176. #     file needs this password: `xxj31ZMTZzkVA'.
  177. #   o ExportCertData:
  178. #     This exports two additional environment variables: SSL_CLIENT_CERT and
  179. #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
  180. #     server (always existing) and the client (only existing when client
  181. #     authentication is used). This can be used to import the certificates
  182. #     into CGI scripts.
  183. #   o StdEnvVars:
  184. #     This exports the standard SSL/TLS related `SSL_*' environment variables.
  185. #     Per default this exportation is switched off for performance reasons,
  186. #     because the extraction step is an expensive operation and is usually
  187. #     useless for serving static content. So one usually enables the
  188. #     exportation for CGI and SSI requests only.
  189. #   o StrictRequire:
  190. #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
  191. #     under a "Satisfy any" situation, i.e. when it applies access is denied
  192. #     and no other module can change it.
  193. #   o OptRenegotiate:
  194. #     This enables optimized SSL connection renegotiation handling when SSL
  195. #     directives are used in per-directory context.
  196. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  197. <Files ~ "\.(cgi|shtml|phtml|php3?)$">
  198.     SSLOptions +StdEnvVars
  199. </Files>
  200. <Directory "/var/www/cgi-bin">
  201.     SSLOptions +StdEnvVars
  202. </Directory>
  203.  
  204. #   SSL Protocol Adjustments:
  205. #   The safe and default but still SSL/TLS standard compliant shutdown
  206. #   approach is that mod_ssl sends the close notify alert but doesn't wait for
  207. #   the close notify alert from client. When you need a different shutdown
  208. #   approach you can use one of the following variables:
  209. #   o ssl-unclean-shutdown:
  210. #     This forces an unclean shutdown when the connection is closed, i.e. no
  211. #     SSL close notify alert is send or allowed to received.  This violates
  212. #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
  213. #     this when you receive I/O errors because of the standard approach where
  214. #     mod_ssl sends the close notify alert.
  215. #   o ssl-accurate-shutdown:
  216. #     This forces an accurate shutdown when the connection is closed, i.e. a
  217. #     SSL close notify alert is send and mod_ssl waits for the close notify
  218. #     alert of the client. This is 100% SSL/TLS standard compliant, but in
  219. #     practice often causes hanging connections with brain-dead browsers. Use
  220. #     this only for browsers where you know that their SSL implementation
  221. #     works correctly.
  222. #   Notice: Most problems of broken clients are also related to the HTTP
  223. #   keep-alive facility, so you usually additionally want to disable
  224. #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
  225. #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
  226. #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
  227. #   "force-response-1.0" for this.
  228. SetEnvIf User-Agent ".*MSIE.*" \
  229.          nokeepalive ssl-unclean-shutdown \
  230.          downgrade-1.0 force-response-1.0
  231.  
  232. #   Per-Server Logging:
  233. #   The home of a custom SSL log file. Use this when you want a
  234. #   compact non-error SSL logfile on a virtual host basis.
  235. CustomLog logs/ssl_request_log \
  236.           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  237.  
  238. </VirtualHost>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top